March 2016

March 31, 2016

Suddenly, Last Summer. This was a script very different from the famous movie starring Elizabeth Taylor. But it was last summer that Cravath Swaine and Weil Gotshal, two members of the AMLAW 200, were breached according to a report from the Wall Street Journal (sub. req.). Other firms, not named, were reportedly breached as well.

The Manhattan U.S. attorney's office and the FBI are probing the breaches. It isn't clear what information may have been compromised. The information in the article came from "people familiar with the matter." Because the story came from the Wall Street Journal, I am sure they verified the information reported.

Cravath said that there was a "limited breach" and that the firm is "not aware that any of the information that may have been accessed has been used improperly." The firm is working with law enforcement and outside consultants to assess its security. A spokeswoman for Weil Gotshal declined to comment.

The hackers are threatening more attacks on law firms. The story rocked the legal world (where breaches are usually off the record, on the QT and very hush-hush). More to follow. Dave, John and I will be watching.

March 30, 2016

Very doubtful. Information Weekreported that the FBI and the DOJ had claimed at least 19 times that there was no way to open that darn phone (belonging to one of the San Bernardino terrorists) without Apple's help – which was necessary to invoke the All Writs Act. It now turns out that the Department of Justice has been in talks with Israeli security firm Cellebrite about hacking an iPhone 6 for a drug case. Yet the DOJ never mentioned Cellebrite.

Read the whole article because it will raise your blood pressure to read the web of lies constructed by the government. There is no question in my mind that the FBI and DOJ deliberately excluded the NSA (which probably has the capacity to do what we now believe Cellebrite did).

They wanted the legal precedent. Pure and simple. They thought a terrorism case would give it to them – but they were wrong. We know now that there are lot of phones they want to crack, but they've been denied the precedent. I have no doubt they'll be back to try again.

One point is still unclear. News reports have consistently said they have the phone's data, but that it is encrypted. Reporters were told that it would "take a while" to decrypt. I'm still evaluating who has the capacity to do that – if they do. And how long it might take. The most amusing outcome would be if they had the data but couldn't decrypt it. That would be an amusement worth savoring. I suspect we'll hear nothing but silence from the government either because it can't crack it – or there's nothing of evidential value on the phone.

Newton says the standards have been well-received and will be updated as technology evolves to meet new threats. The inaugural members of the LCCA were Clio, DirectLaw, NetDocuments, Nextpoint, Inc., Onit, Inc. and Rocket Matter, LLC.

The standards are written simply, in clear English - though non-technical folks may need a bit of explanation about certain terms. But it seems to be a very good start at standards that have been sorely needed.

March 28, 2016

On March 1st, Verizon, which famously investigates data breaches, released a Data Breach Digest involving 18 breach scenarios with pithy names. No doubt it was a more than a little embarrassed last week when it had to acknowledge a breach of its own.

Attackers used a flaw in the company's Web portal for enterprise customers to steal data on its clients, Verizon said. The compromise resulted in the leak of information on 1.5 million customers, which were put up for sale on a closed forum for $100,000, according to security-industry researcher and journalist Brian Krebs, who first reported the breach.

Verizon claims the company was aware of the breach before it was contacted by Krebs.

In a statement sent to eWEEK Verizon said "Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers. No customer proprietary network information (CPNI) or other data was accessed or accessible. The impacted customers are currently being notified."

While Verizon did not confirm that 1.5 million customers were impacted, a spokesperson stressed that consumer data was not part of the breach.

Verizon has not yet issued its annual data breach report, so it will be interesting to see if it chooses to say anything about its own breach. John and I are Verizon customers so it will be intriguing, in a dismal sort of way, to see if we receive breach notifications in the coming week.

March 24, 2016

The Apple vs. FBI fight over "back doors" has gotten more interesting with the revelation by the International Business Times via The New York Times that the ISIS terrorists who killed 130 people and injured hundreds more in Paris last year used disposable, untraceable "burner" phones. They activated their burner phones shortly before carrying out attacks throughout Paris, avoiding detection by police and intelligence agencies.

As Snowden commented "Phones used in real-world ops are disposed on a per-action, per-call basis. Lifetimes of minutes, hours. Not days."

As always, the terrorists – and technology – are way ahead of law enforcement, which is limping to catch up and still making foolish arguments about needing back doors, which all the experts agree are bad for everyone.

So were burner phones used in Brussels? I haven't heard – yet – but I'm betting the answer is yes.

March 23, 2016

Yesterday was quite a day. I knew it was bad when Matt Lauer was on at 6 a.m. with everyone else from Today.

The Brussels bombings left cellphone networks strained, causing officials to advise the public to use social networks to communicate with friends and loved ones. They also advised against streaming audio or video to avoid overloading the local Internet.

I was relieved to see that none of my Facebook friends was in the affected area, but my heart goes out to those who have been killed or injured (and their families) in these latest senseless acts of terrorism.

And thank you Facebook, for giving us a way to communicate and check on the safety of those we care about. I don't often thank you, but Safety Check is a great public service.

March 22, 2016

On March 17th, the Federal Bureau of Investigation (FBI) and the Department of Transportation (DoT) released a public service announcement (PSA) to warn manufacturers and consumers about some of the dangers of connected cars. "Vulnerabilities may exist within a vehicle's wireless communication functions, within a mobile device – such as a cellular phone or tablet connected to the vehicle via USB, Bluetooth, or Wi-Fi – or within a third-party device connected through a vehicle diagnostic port," the PSA said. Officials warned that these new connections could provide cybercriminals with more attack portals and described various ways attackers could remotely access vehicle controls and systems.

The PSA recommended that consumers ensure their vehicle's software is up to date, be careful when making any modifications to vehicle software, maintain awareness, and exercise discretion when connecting third-party devices to vehicles. Officials also provided guidelines for what to do if a consumer suspects their vehicle has been hacked.

Some of the risks mentioned by the PSA involved exploits which disabled the engine or the brakes. Yes, either of those could present a problem. Yikes.

Apparently, car manufacturers "have trouble" making cybersecurity a priority and worry about the costs. Doesn't that make you feel safe getting into your connected car?

March 21, 2016

The busiest three days of our year – every year – are the three days at ABA TECHSHOW. John and I are always grateful for the opportunity to speak there and to join so many illustrious colleagues and friends in trying to put on the best possible conference. Judging by the many ad hoc remarks from attendees, ABA TECHSHOW was once again a great success. Thanks to Chair Steve Best and his board (including John) for their hard work in putting TECHSHOW together.

As always, we learned a lot from our colleagues, as we are all experts in varying disciplines. So yes, the faculty members are also students.

One of the most amusing remarks I heard from an attendee was "Being on the faculty must be so glamorous." I did not disabuse her of that notion, but consider this. In three days, John and I each taught (with a co-presenter) three sessions. All but one was a ground-up build PowerPoint – and required written materials as well. The hours sunk into prepping those were many – and of course we study and annotate our PowerPoints before actually presenting. We had a Meet the Authors session. We worked two hours at the Concierge Booth. We were hosts for a total of three Legal Talk Network Special Reports from ABA TECHSHOW.

As speakers, we needed to be present for the Award Luncheon on Thursday, the Welcome Reception on Wednesday and the 30th Anniversary Reception on Thursday. We attended the Past Chairs champagne reception (thank you to the LP Chair Tom Bolt for that gracious gesture). We hosted a Taste of TECHSHOW dinner on Friday and attended the Past Chairs dinner on Saturday to welcome Steve Best "into the pasture."

We did our best to cover the Expo Hall (#fail) and thank our exhibitors. We met with our co-presenters in person to go over last minute details. As a Board member, John had breakfasts with the Board Thursday and Friday at 7:15 to run through the upcoming day and any attendant issues that needed to be addressed. And we tried, in between all this, to attend the sessions of other speakers to learn and to offer feedback to the Board on first-time speakers.

Glamorous? Not exactly. Would we trade the havoc for anything? Nope. We have the time of our lives every year – but it sure is hard work too. Mark your calendars now for next year's TECHSHOW, March 15-18, 2017. By then, we hope to be re-energized and do it all over again!

March 17, 2016

John and I have been delighted to see our friend Craig Ball return to blogging. Missed you Craig.

His subject a few days ago was Amazon Echo's Alexa, the new woman in his life.

As he puts it, "Alexa streams music, and news updates. Checks the weather and traffic. Orders pizzas and Ubers. Keeps up with the grocery and to do lists. Tells jokes. Turns on the lights. Adjusts the temperature. Answers questions. Does math. Wakes me up. Reminds me of appointments. Of course, she also orders stuff from Amazon." No doubt Craig, no doubt.

She is hands free, which is a great benefit and she plays well with many applications. She is darn convenient. There is a hitch. She is always listening. Alexa only transmits and records what she hears when her name is called. But, as she becomes an omnipresent interface to everything, Alexa will know an awful lot about Craig's activities and interests. She records every interaction, including an audio recording of the person issuing instructions. Craig can view a list of every interaction since Alexa first came into his life, and listen to each recording of the instruction, including background sounds. Others may call this "creepy." Craig calls it "evidence."

This is where John and I are also keenly following Alexa, Cortana, Siri, etc. While they collect a lot of data, they don't make it easy to preserve what they've collected when there is a legal duty to do so.

As Craig says, "I can access each of thousands of interactions with Alexa and listen to the recording of the command. One-by-one. From the standpoint of spoliation, the Alexa app allows commands to be selectively deleted from a user's history and the entire history to be purged; but, insofar as preserving the history when it's potential evidence, Alexis is deaf and dumb."

Amazon has a means to collect and produce the data in criminal matters. But in civil matters, a subpoena will likely prompt no more than a form denial. Account holders have no self-directed mechanism to download a delimited (e.g., spreadsheet-compatible) copy of their data, the only option being an untenable screen-by-screen capture of data, coupled with recording the audio on some other device.

We agree with Craig. Users need an effective, self-directed means to preserve and collect their own data when legal and regulatory duties require it. Google has an excellent take-out mechanism. Twitter's archive does, too. Facebook also allows you to download your own posts and photos. However, most app and service providers offer nothing at all.

This is untenable in the digital world. We need a reasonable means of complying with litigation holds and discovery. And we love Craig's line, "Alexa, are you listening?"

Like Craig, we know of no good way (currently) to achieve these objectives. If any RTL readers do, we would love to hear about it. And be mindful of what you say to these personal assistants – say the wrong words and it is quite possible all you've said will never be forgotten – or forgiven.

March 16, 2016

At the recent RSA Conference, the CSA (Cloud Security Alliance) listed the "Treacherous 12," the top 12 cloud computing threats organizations face in 2016. The CSA released the report to help both cloud customers and providers focus their defensive efforts.

As an InfoWorldarticle reported, the on-demand nature of cloud computing introduces the possibility of new security breaches that can erase any gains made by the switch to cloud technology as the CSA warned. Cloud services by nature enable users to bypass organization-wide security policies and set up their own accounts in the service of shadow IT projects. New controls must be put in place to enhance security. Here are 12 top threats.

Data breaches. Cloud environments face many of the same threats as traditional corporate networks, but due to the vast amount of data stored on cloud servers, providers become an attractive target. Cloud providers typically deploy security controls to protect their environments, but ultimately, organizations are responsible for protecting their own data in the cloud. The CSA has recommended organizations use multifactor authentication and encryption to protect against data breaches.

Compromised credentials and broken authentication. Data breaches and other attacks frequently result from lax authentication, weak passwords, and poor key or certificate management. Organizations often struggle with identity management as they try to allocate permissions appropriate to the user's job role. More important, they sometimes forget to remove user access when a job function changes or a user leaves the organization. Multifactor authentication systems such as one-time passwords, phone-based authentication, and smartcards protect cloud services because they make it harder for attackers to log in with stolen passwords.

Hacked interfaces and APIs. Practically every cloud service and application now offers APIs. IT teams use interfaces and APIs to manage and interact with cloud services, including those that offer cloud provisioning, management, orchestration, and monitoring. The security and availability of cloud services -- from authentication and access control to encryption and activity monitoring -- depend on the security of the API. APIs and interfaces tend to be the most exposed part of a system because they're usually accessible from the open Internet.

Exploited system vulnerabilities. System vulnerabilities, or exploitable bugs in programs, are old news but they've become a bigger problem with the advent of multitenancy in cloud computing. Organizations share memory, databases, and other resources in close proximity to one another, creating new attack surfaces. Best practices to prevent a problem include regular vulnerability scanning, prompt patch management, and quick follow-up on reported system threats.

Account hijacking. Phishing, fraud, and software exploits are still successful, and cloud services increase the threat because attackers can eavesdrop on activities, manipulate transactions, and modify data. Attackers may also be able to use the cloud application to launch other attacks. Organizations should prohibit the sharing of account credentials between users and services, as well as enable multifactor authentication schemes where available. Accounts, even service accounts, should be monitored so that every transaction can be traced to a human owner.

Malicious insiders. This might be a current or former employee, a system administrator, a contractor, or a business partner. The goal might anything from data theft to revenge. The CSA recommends that organizations control the encryption process and keys, segregating duties and minimizing access given to users. Effective logging, monitoring, and auditing administrator activities are also critical.

The APT parasite. The CSA aptly calls advanced persistent threats (APTs) "parasitical" forms of attack. APTs infiltrate systems to establish a foothold, then stealthily exfiltrate data and intellectual property over an extended period of time. APTs typically move laterally through the network and blend in with normal traffic, making them difficult to detect. The major cloud providers apply advanced techniques to prevent APTs from infiltrating their infrastructure, but customers need to be as diligent in detecting APT compromises in cloud accounts as they would in on-premises systems. Common points of entry include spear phishing, direct attacks, USB drives preloaded with malware, and compromised third-party networks. In particular, the CSA recommends training users to recognize phishing techniques.

Permanent data loss. Reports of permanent data loss due to provider error have become extremely rare. But malicious hackers have been known to permanently delete cloud data to harm businesses, and cloud data centers are as vulnerable to natural disasters as any facility. Cloud providers recommend distributing data and applications across multiple zones for added protection. Adequate data backup measures are essential, as well as adhering to best practices in business continuity and disaster recovery. Daily data backup and off-site storage remain important with cloud environments. If a customer encrypts data before uploading it to the cloud, then that customer must be careful to protect the encryption key. Once the key is lost, so is the data.

Inadequate diligence. Organizations that embrace the cloud without fully understanding the environment and its associated risks may encounter a "myriad of commercial, financial, technical, legal, and compliance risks," the CSA warned. Due diligence applies whether the organization is trying to migrate to the cloud or merging (or working) with another company in the cloud. For example, organizations that fail to scrutinize a contract may not be aware of the provider's liability in case of data loss or breach.

Cloud service abuses. Cloud services can be commandeered to support nefarious activities, such as using cloud computing resources to break an encryption key in order to launch an attack. Other examples including launching DDoS attacks, sending spam and phishing emails, and hosting malicious content.

DoS attacks. DoS attacks have gained prominence again thanks to cloud computing because they often affect availability. Systems may slow to a crawl or simply time out. "Experiencing a denial-of-service attack is like being caught in rush-hour traffic gridlock; there is one way to get to your destination and there is nothing you can do about it except sit and wait," the report said. Cloud providers tend to be better able to handle DoS attacks than their customers, the CSA said. The key is to have a plan to mitigate the attack before it occurs, so administrators have access to those resources when they need them.

Shared technology, shared dangers. Vulnerabilities in shared technology pose a significant threat to cloud computing. Cloud service providers share infrastructure, platforms, and applications, and if a vulnerability arises in any of these layers, it affects everyone. "A single vulnerability or misconfiguration can lead to a compromise across an entire provider's cloud," the report said. The CSA recommended a defense-in-depth strategy, including multifactor authentication on all hosts, host-based and network-based intrusion detection systems, applying the concept of least privilege, network segmentation, and patching shared resources.

A very long post, but there's a lot of meat to chew on here. These threats are why so many law firms are afraid of moving data to the cloud, though it is also true that many clouds protect data better than the law firms would themselves.

Sensei Enterprises, Inc.

3975 University Drive
Suite 225
Fairfax, VA 22030
703.359.0700

Disclaimer

This blog is intended to impart general information and does not offer specific legal advice. Use of this blog does not create an attorney-client relationship. If you require legal advice, consult an attorney.